[whatwg] More prohibited characters for unquoted attributes are needed

[Aryeh Gregor]

On Mon, Sep 7, 2009 at 1:34 PM, Geoffrey Sneddon
<foolistbar at googlemail.com> wrote:
> Apparently Hixie had previously said he didn't want to change this as it
> will become a non-issue over time. I think it does matter due to the
> security issues it presents in existing UAs. Conforming markup (using
> elements/attributes allowed in HTML 4.01) should not cause JS to execute in
> one browser but not in another.

I agree with you as an author.  I wrote an HTML output function in
MediaWiki assuming that what the standard says is known to be
interoperable, which is apparently wrong.  If I hadn't been keeping up
with HTML 5, I would have introduced an XSS vulnerability because of
some browsers' handling of `.

If the problem will go away with time, then perhaps a later version of
the standard could make such unquoted attributes conforming, once
there's no more problem with them.